Welcome to SecureDrop’s documentation!

SecureDrop is an open-source whistleblower submission system that media organizations can use to securely accept documents from and communicate with anonymous sources.

User Guides

• Source Guide
  • Choose who to submit to
  • Get the Tor Browser
  • Making your First Submission
  • Continuing the Conversation
• Journalist Guide
  • Workflow
  • Create GPG key for the journalist
  • Connect to the Document Interface
  • Move Documents to the Secure Viewing Station
  • Decrypt and work on the Secure Viewing Station
  • Interact With Sources
  • Work with Documents
  • Encrypt and move documents to Journalist Workstation
  • Decrypt and prepare to publish
• Administrator Guide
  • Adding Users

Install SecureDrop

• Overview
  • Technical Summary
  • Infrastructure
  • Operation
• Terminology
  • App Server
  • Monitor Server
  • Source Interface
  • Document Interface
  • Journalist Workstation
  • Admin Workstation
  • Secure Viewing Station
  • Two-Factor Authenticator
  • Transfer Device
• Passphrases
  • Admin
  • Journalist
• Hardware
  • Required Hardware
  • Optional Hardware
  • Specific Hardware Recommendations
• Before you begin
• Create Tails USBs
  • Install Tails
  • Enable Persistent Storage
• Set up the Secure Viewing Station
• Set up the Data Transfer Device
• Generate the SecureDrop Application GPG Key
  • Correct the system time
  • Create the key
• Set up the Admin Workstation
  • Start Tails with Persistence Enabled
  • Download the SecureDrop repository
  • Create the Admin Passphrase Database
• Set up the Network Firewall
  • Before you begin
  • Initial Configuration
  • SecureDrop Configuration
  • Keeping pfSense up to date
• Set up the Servers
  • Install Ubuntu
  • Test Connectivity
  • Set up SSH keys
  • Minor Admin Tasks
• Install SecureDrop
  • Install Ansible
  • Configure the Installation
  • Run the Ansible playbook
• Configure the Admin Workstation Post-Install
  • Auto-connect to the Authenticated Tor Hidden Services
  • Set up two-factor authentication for the Admin
• Create an admin account on the Document Interface
• Test the Installation
  • Test connectivity
  • Sanity-check the install
  • Test the web interfaces
• Onboard Journalists
  • Determine access protocol for the Secure Viewing Station
  • Create a Journalist Tails USB
  • Set up automatic access to the Document Interface
  • Add an account on the Document Interface

Topic Guides

• SecureDrop Deployment Best Practices
  • Landing Page
  • Minimum requirements for the SecureDrop environment
  • Suggested
  • Whole Site Changes
• Google Authenticator
  • iOS
  • Android
• Useful Logs
  • Both servers
  • App Server
  • Monitor Server
• OSSEC Guide
  • Setting up OSSEC alerts
  • Troubleshooting
  • Analyzing the Alerts
• Tails Guide
  • Installing Tails on USB sticks
  • Configure Tails for use with SecureDrop
• Setting up a printer with Tails
• SecureDrop On-Site Training Schedule
  • Day 1: Preparation and Install
  • Day 2: Journalist and Admin Training
• Using YubiKey with the Document Interface
  • Download the YubiKey personalization tool
  • Set up OATH-HOTP
  • Set up a user with the OATH-HOTP secret key
• Backup and Restore SecureDrop
  • Minimizing disk space
  • Backing Up
  • Restoring

Upgrade SecureDrop

• Upgrade to 0.3.x
  • Upgrade from 0.2.1 to 0.3.x
  • Upgrade from 0.3pre to 0.3.x
• Upgrade from 0.3.x to 0.3.5
  • Important Changes
  • Prerequisites
  • Upgrade Procedure
• Upgrade from 0.3.5 to 0.3.6
  • Important Changes
  • Prerequisites
  • Upgrade Procedure
• Upgrade from 0.3.6 to 0.3.7
  • Upgrade Procedure
• Upgrade Tails from 1.x to 2.x
  • Upgrade each Tails device
  • Finishing up
  • Troubleshooting

Developer Documentation

• Getting Started
  • Prerequisites
  • Clone the repository
  • Virtual Environments
  • Tips & Tricks
• Generating AppArmor profiles for Tor and Apache
• SecureDrop apt repository
• Documentation Guidelines
  • Integration with Read the Docs
  • Style Guide
• Serverspec Tests
  • Install directions (Ubuntu)
  • Running the tests
  • Updating the tests
  • Spectest layout
• Threat Model
  • Assumptions
  • Attack Scenarios